Corman is referring to recent cyber attacks on critical infrastructure—hospitals in the U.S. and U.K., and the Ukrainian power grid—which caused disruption and suspension of service that could have cost people their lives. Researchers, too, are doing their part to identify vulnerabilities in critical systems which, if exploited, could crash cars, disable life-saving health monitoring devices, prohibit access to utilities, or even cause explosions. While much of the potential is theoretical at present, Corman and his colleagues are working hard to ensure the U.S. government and private organizations alike are taking the warnings seriously, enacting legislation, frameworks, and guidance that will prevent some of the theoretical from becoming reality.

During a recent interview with Infosec Insider, Corman iterated that “This is more than denial of service or stolen data.” We’ve seen (likely) state-sponsored attacks ratchet up as of late, and the number of connected and insecure devices is concerning to security practitioners. One of the problems, though, is that connected devices are not always (not usually) developed with security in mind, and any security controls are either implemented after the fact or become the responsibility of the device owner. “Seventy-five percent of hospitals don’t have a single security person” even though they are “hyper connected,” Corman offers as an example of the problem.

Because the potential for catastrophic damage is simmering just below the surface and entities are not equipped to handle the challenges, the Atlantic Council has been hard at work speaking with the government about cyber safety policy guidance and regulations that will help manufacturers and developers place cybersecurity at the forefront. Eight new cyber safety policy maneuvers and a pending executive order are currently underway in the U.S., but Corman says they’re nascent. “We’ll have to crawl then walk then run,” he says, but adds that what he’s seeing is encouraging. Device manufacturers have the advantage of adopting best practices from traditional security environments.

In the full video interview with Infosec Insider, Corman shares his thoughts on and concerns with the current state of cyber security, privacy, and safety.

MISTI Newsletters

Quick Links

MIS Training Institute is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org.